Why all indexes are not available to select from "...

renjith_nair · ‎09-01-2016

Splunk License : Enterprise
Splunk version : 6.4.0
Deployment Model : Search head cluster, indexer cluster

We are not able to see all indexes (not even 3%) in the Available search indexes and Available indexes drop downs to select while creating a new role from the search heads. The indexes are created by pushing indexes.conf from master since it's a clustered environment.

We are able to create role successfully by adding the parameter srchIndexesAllowed from the command line on the search head and is being replicated across SHC and users are able to use it. However, it's still not showing in UI in the Settings » Access controls » Roles .

The indexes are visible in indexer clustering page on master and even in DMC but not also on master **Settings » Access controls » Roles **

There was a bug in the earlier versions of splunk but it was fixed in the latest versions.

Are there any limit on number of indexes displayed because we have more than 2K indexes?

Thanks!

Happy Splunking!

indoorsman · ‎05-02-2018

It appears this issue has come back in Splunk Enterprise 7.1.0

carlosumbc · ‎05-11-2018

I have noticed the issue in 7.1.0 as well.

janlar · ‎08-02-2018

yes, I noticed also the issue in 7.1.0

diogomesilva · ‎04-27-2018

Answer for this issue

https://answers.splunk.com/answers/583581/indexes-are-not-available-to-select-from-available.html?ut...

Regards.

dshpritz · ‎09-02-2016

The search head doesn't actually get a list of the indexes from the master, at least not one that it uses for populating this list (yeah, kinda lame). As such, we usually create "dummy" indexes on search heads, just to populate the list. As long as your search head is forwarding its events back to the index cluster (best practice), then the indexes really only get used for populating GUI stuff.

renjith_nair · ‎09-02-2016

Hello David(@dshpritz),

Sorry but it's hard to believe, because

We have few indexes populated in this drop down even though they are created from master.
The indexes which are showing up in the drop down are not part of search head indexes.conf but from cluster master/indexers.
We were always doing the role addition from the Splunk web using this functionality until we automate index creation and role addition (using splunk cli itself).
Data from search head is always forwarded to cluster.
We created few "dummy" summary indexes on Search head and they are also not showing in this list.
As per this post indexes-from-peer-nodes-not-visible-in-role-creation, the issue is fixed in 6.0.3 as per @rbal_splunk
We do have another environment with the same set up (indexer,SH clusters) and there the issue is not present (version is 6.4.2)

Happy Splunking!

JohannLiebert92 · ‎04-18-2018

Hi,

I'm facing the same issue in my Splunk deployment as well. I'm running Splunk 7.0.2. May I know is it a known issue? If yes, may I have the case ID please?

Thanks!!

dshpritz · ‎09-03-2016

I understand that Splunk says that this bug is fixed, however, in my experience, that isn't true. I would open a case with Splunk support if the list in the roles view isn't the same as those available in the indexes view, as that sounds like a bug.

Why all indexes are not available to select from "Available search indexes" during role creation?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk